Let the Pirates Patch? An Economic Analysis of Software Security Patch Restrictions Terrence August *Joint work with Tunay I. Tunca

Motivation Internet Server Software Market

Motivation Code Red and the Problem  Code Red / Code Red II  Worm that attacks web servers running IIS  Installs back door and propagates 100 times over per infection  Distributed Denial of Service (DDoS) attack on www1.whitehouse.gov  Patch issued by Microsoft on June 18, 2001  Code Red worm strikes on July 19, 2001  $2.75 Billion in damages

WormDate Vulnerability Notice Estimated Cost ($) Code Red month2.75 Billion Slammer months1.5 Billion Blaster month750 Million Sasser weeks14.8 Billion Zotob days$98K/company (on average) Motivation

US-CERT Coordination Center

Motivation Microsoft (Windows Genuine Advantage) Apr-04 May-04 Late May-04 Jul-04Sept-04 Feb-05 May-05 Mike Nash (VP, Security Business and Technology Unit) and Barry Goffe (Product Mgr) on record: pirates can obtain security patches Microsoft issues statement saying that only paid customers will have access to Service Pack 2 for XP Microsoft loosens restrictions, only checking for two counterfeit keys for SP2 update Trial stage Windows Genuine Advantage followed by pilot phase for 20 countries. Microsoft claims that for WGA, security patches will be exempt. Permit Pirates SP2 Restrict Pirates SP2 Permit Pirates SP2 Restrict Pirates WGA Permit Pirates WGA

Motivation

Two Options  Make security patches available to all users  Network is more secure  Sasser worm: $14.8B  Slammer worm: $1.5B  Network effects  Restrict security patches only to legitimate users  Network is less secure  Curb piracy

Motivation Piracy in the Software Industry  Business Software Alliance (BSA) and International Data Corporation (IDC)  Piracy rates  35% in 2004  Exceeds 75% in 24 countries  Economic Losses (globally)  $59B spent on packaged software  $90B+ installed

Motivation Research Questions  Under high network security risk, should a software vendor make security patches readily available to all users?  Why might a vendor such as Microsoft allow pirates to patch security vulnerabilities?  Can piracy lead to less secure software products?  Are the arguments made by the security community that software vendors should “do the right thing” valid?

Literature Review Economics of Info. Security and Piracy Information Security Interdependent Security e.g., Kunreuther et al. (2002), Kunreuther and Heal (2003, 2005), Varian (2004), August and Tunca (2006) Quantification of Losses e.g., Moore and Shannon (2002), Cavusoglu (2004) Worm Spread Dynamics e.g., Weaver et al (2003) Piracy e.g., Peitz and Waelbroeck (2003)

Model Key Observations  Software patching is costly  Losses from security breaches are positively correlated with valuations  Piracy tendencies vary across users

Model Timeline t = 0t = 1t = 3t = 2 Vendor sets price and policy Consumers make usage decisions Vendor releases security patches / Consumers make patching decisions Worm attack realizes on network

Model Consumer Model  Consumer valuation space:  Consumer heterogeneity in regard to piracy:  Consumer action space:

 Effective cost of patching:  Loss from attack:  Expected cost of piracy: Model Costs and Losses

Consumer Market Structure Consumer’s Problem   

Consumer Market Structure Equilibrium Characteristics  There is always a group of consumers who use but do not patch  There is always a population of users whose valuations are higher than the price but end up not purchasing the software  Users impose negative externalities on:  Other users  The software vendor

 Pricing to deter piracy:  Two regions – August and Tunca (2006) Consumer Market Structure Pricing and Piracy Region 2: High price Region 1: Low price

Consumer Market Structure Threshold Characterization

Consumer Market Structure Pricing and Piracy  Two policies which the firm can enforce:  Permissive policy:  “Let” the pirates patch  Restrictive policy:  Do “not let” the pirates patch

Consumer Market Structure Let the Pirates Patch:  Unpatched population:

Consumer Market Structure Let the Pirates Patch:  Four possible equilibrium market structures Increasing security risk

Consumer Market Structure Don’t Let the Pirates Patch:  Unpatched population:

Consumer Market Structure Don’t Let the Pirates Patch:  Six possible equilibrium market structures Increasing security risk

Vendor Profit Maximization Profit Functions and the Vendor’s Problem:

 When to restrict security patches?  When to let pirates patch? Results Optimal Policy Decision for the Vendor

Results Proposition 1: When to be restrictive  When the effective security risk is high, a software vendor can strictly increase his profit by restricting pirates from receiving security patches.  Common perception  Reduce the risk on the network  A more secure product benefits all users

Results Don’t let them patch when… LetDo not Let

Results Proposition 2: When to be permissive  When the patching cost is not too high and the effective security risk is below a threshold value, a software vendor should permit pirates with access to security patches.  Contrast  Strong incentives to patch  Vendor wants to price high  Not willing to provide incentives for conversion  Increased usage due to reduction in negative network effects

Results Let them patch when… Let Do not Let

Results Proposition 3  When the potential for piracy in a market is high, a software vendor should enforce a restrictive policy.  Candidates: Vietnam, Ukraine, China, …  Small size of low piracy tendency (Type L) population  When the potential for piracy in a market is high, a software vendor prefers a less secure product to a more secure product.

Lack of Incentives for Secure Software Results

Proposition 4  When the effective security risk is high and the patching cost is affordable to some users, the vendor’s optimal profit can decrease in the level of piracy enforcement. High Security Risk Low Piracy Enforcement Low High Results Increasing

Results

Proposition 4  When the effective security risk is high and the patching cost is affordable to some users, the vendor’s optimal profit can decrease in the level of piracy enforcement. High Security Risk Low Piracy Enforcement Low High Results Increasing Decreasing

Results

Proposition 5  When the patching cost and the effective security risk is low, social welfare can increase under a restrictive policy. Security patch restrictions can be welfare superior to a permissive approach

Let the Pirates Patch? Results

Concluding Remarks Summary  Model of network software security with piracy  Role of incentives in setting security patch restriction policies  Explain patch restrictions under high security risk  Microsoft’s permissive policy  Security risk can be strategically used by vendors as a tool to convert pirates into legitimate users  Security patch restrictions do not necessarily reduce welfare